Personal data means any information related to an identified or directly or indirectly identifiable natural person (Data Subject). Personal data are hereinafter referred to as the „Data“.

If there are any other terms and definitions used herein, they will be interpreted within the meaning specified in the EU General Data Protection Regulation No. 2016/679 (“GDPR“), or any other applicable legislation (hereinafter only the „Legislation on Data Protection“).

Preamble

In DPD we take protection of personal data seriously and we pay due care to the protection from the first moment when we receive the Data until the moment of their disposal and erasure. When processing data, we abide by the Legislation on Data Protection and by internal guidelines that reflect the legislation and formulate reasonable requirements applicable to safe control and handling of the data.

Whose personal data do we process and why?

DPD processes various categories of personal data of different persons, but only to the extent necessary to achieve the purpose of the processing. The “Scope of Data” indicated hereinbelow illustrates the maximum scope possible. Each processing operation concerns only those data that are relevant only to achieve the respective purpose.

a. Data of Customers, Consignors and Consignees of the parcels

We process Identification Data relevant for providing shipping services and any tasks associated therewith duly and manifestly, including processing of orders, pickup and delivery of parcels, invoicing for the services, collecting any debts and documenting DPD business activities.

For some services it may be necessary to process also Birth Dates, or Personal Identification Card Numbers, nevertheless, this is only the case where it is indispensable for such service or task.

Note: For purpose of this Data processing, except of the case when Date of Birth is provided, DPD is not to be considered Data Processor for the Data provided to arrangement and execution of the parcel delivery (Art. 28 GDPR), but is responsible for the Data as Data Controller. For this reason, except Recipient's age verification services, it is not necessary for the Consignors to conclude Data processing contracts with DPD.

Why do we in specific cases require insight into the ID card and record some Data?

Besides basic services we offer to our clients specific products that enable the Consignor to receive more security via sure identification of the person to whom the parcel was handed over. These products called Verified Handover and Verified Handover 18+. In these cases, the parcel can only be handed over to a person designated by the Consignor, in case of Verified Handover 18+, DPD will also check the age of the accepting person (Consignor is fully responsible for the statutory reason of Consignee’s age control, as in this case DPD acts only in the role of the Data processor).

While parcel is handed over, we will record the last 5 numbers of the ID card and, in the case of verification of the Consignee's age, also a copy of the date of birth. With this we are able to assure the Consignor that his instructions were fully followed.

The other case is to check the identity of the Consignee when delivering the parcel via parcel shop (Pickup). In this case, we also carry out the identity verification and the recording of the part of the document presented in order to ensure the safe handover of the parcel to the authorized person.

Verification of identity is not performed if the set-up of the service with the Consignor and the parcel shop allows us to use the security PIN that we will send the authorized Consignee before the parcel is ready for collection.

b. Data of Contractors and their Representatives

We process necessary identification Data of representatives of our contractors and partners in order to ensure due performance of any contracts, or protection/enforcement of legitimate interests within our business relations and business activities.

We process Identification Data of employees of other employers who carry out their work at DPD workplaces or who perform tasks arising out of any contracts on behalf of our contractors (where Data are necessary for the purposes of performance of such contracts) only to comply with our statutory duties (e.g. for the purposes of safety and health protection at work and fire prevention, protection of assets and legitimate interests of DPD, or, as the case may be, communication in business relations).

Scope of the Data processed: Name and Surname, Contact Details (phone numbers, e-mail addresses), Signatures and other Data necessary to achieve the purpose.

If work is performed at DPD workplaces, these include also CCTV recordings, Identification Photos, or other Data necessary for the performance of the relevant contract, such as GPS coordinates of places where parcel labels are scanned.

d. Data of Persons in employment relations (Employees) or similar relations with DPD

We process Identification Data and other necessary Data of our employees and temporary employees to fulfil our obligations and exercise our rights arising out of employment relations, social security, tax duties, protection of our assets and legitimate interests. Where legislation requires so, we may also process Data of other persons where it is essential for fulfilling any statutory duties, including Data of children and spouses of these persons.

Scope of the Data processed: Name and Surname, Addresses, Contact Details (phone numbers, e-mail addresses), Signatures, Photos, required Information on Health screening, Data on Marital Status and other Data of similar nature, as well as Data on the Employment History, Data on using work tools and working hours, etc.

e. Data of Visitors of DPD websites and of Users of online applications

We collect Data of visitors of our website, stored in Cookies (small files that allow DPD to save specific information about the PC of the visitors of our website during their visit to DPD website to ensure optimum functionality of the DPD website and online applications for the users, and also of monitoring of its functioning and protection). Cookies help us see the frequency of the visits, number of visitors and adjust our services so that they are comfortable and efficient for the users, and they also help us identify users when using online applications and store their preferred settings. Cookies may not enter users’ system. More information please find in section Use of DPD website cookies.

Scope of the Data processed: IP Addresses and User Settings in online applications.

f. The Data of Recipients of marketing communications

We process contact details of persons representing our contractual clients and also of any other persons who have expressed their consent to marketing communications for the relevant purposes in order to offer our services and for other marketing and business purposes, and to inform them about any relevant facts associated with DPD activities. In this regard, DPD is not only bound by the Legislation on Personal Data Protection, but it also has to abide by the Act on Some Services of Information Society.

Scope of the Data processed: Name and Surname, Contact Details (e-mail addresses).

g. The Data of Persons entering monitored DPD premises

DPD premises where parcels are handled are, mainly for security reasons, monitored by CCTV and the video recordings are stored. If a person enters the premises, he may be recorded by the CCTV. The use of the CCTV is subject to strict DPD rules and recordings are accessible only by a limited number of employees, and only for the purposes of addressing any security events. As a rule, recordings are stored for 60 days on secured servers. Places that are monitored are duly marked with informative signs.

Scope of the Data processed: Appearance and Behaviour of the persons in the monitored premises

h. The Data of Other Persons

In the diverse areas of DPD’s activities, sometimes it is necessary to process Data of persons that cannot be categorised in advance. In such cases, we always process the Data only to the extent necessary to achieve the relevant purpose of the processing and within a controlled process.

Scope of the Data processed: Specific Data according to the purpose, while respecting the principle of data minimisation.

Cookies used on the DPD website

Cookies are small files containing data that enable DPD to store and analyse specific information on the preferences of DPD website visitors during their visit. If you grant your consent to their processing, cookies will download to your device when you visit the website.

In the following visits of DPD website the cookies will be recognised thanks to which the browser will remember your specific settings, or send a tailor-made content corresponding to your user preferences.

The data generated by cookies include anonymised IP address of the website visitors and they are transferred to the servers of the service providers listed below. These servers are located in the EU or the USA and they are fully compliant with the legal regulations. The service providers may provide this information to Third Parties only if it is permitted within the applicable legal regulations.

Overview of types of cookies DPD uses on its website

a. Cookies necessary for the website operation

There are certain settings that are necessary for the mere functionality of the website. These settings do not contain any specific information about the user. This also hold true of the cookies that collect data on user preferences of the website visitors which, however, do not allow for identification of the person and therefore regulations of personal data protection do not apply to them.

b. Cookies containing specific user settings

These are cookies for saving data on the settings of individual users on the website. They make the use of the website more comfortable and more efficient for the users.

These cookies do not record or monitor any activities of the users during their visit of the website.

c. Remarketing

These cookies collect data on the preferences of the users during their search and based on that they adjust their marketing communications to the interest of the users.

The purpose of this processing is to provide the user with content corresponding to his/her potential preferences, which again helps to enhance comfort for the users. The cookies remember that the user has visited the website and then share this information with other entities providing the internet services.

What service providers do we use for the above purposes?

For running cookies and achieving the purpose for which they are used, we engage the following services:

services operated by Facebook Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. These services concern only those users who have a Facebook account. The principles of cookies processing by Facebook are available at the following link: https://www.facebook.com/policies/cookies

How the user may block the use of cookies at the DPD website

The users may block the cookies to be downloaded to their devices, or they can delete the cookies at any time. As the manner thereof may differ depending on the browser, type of device, etc., we recommend proceeding in line with the instructions given directly by the producers of the products that the users employ.

Detailed information on how to proceed can be easily obtained by entering “how to delete cookies” into any kind of internet search engine.

Also, users can block collection and use of the cookies in individual services as instructed by the individual service providers, e.g.:

DPD stores all data on specially protected servers. These servers are accessible only to authorised persons who are responsible for technical, business and editing tasks in relation to these servers. We have defined and implemented necessary technical and organisational measures to be able to guarantee security of your Data.

To ensure IT security and authorised access, the use of all technical devices (hardware) we employ for Data processing is regulated by clearly defined policies. Users of these devices are trained and motivated to comply with the security policies and with the system of internal control.

Moreover, Data transfers are secured by reasonable technical restraints that correspond to the relevance of the processed Data.

We also process Data that are saved on external media, be them electronic media (USB, DVD, etc.) or printed documents. Even for these cases, we have clearly defined rules how to handle the Data saved in this way, we train our staff who handle them to comply with these rules, or they are bound either by a contract or by their statutory duties.

Our priority is to protect the Data to prevent any losses, falsification, unlawful handling, abuse or unauthorised access.

Are your Data provided to any Third Parties?

We use and process your Data only for the declared purposes that are connected to our business activities. We do not provide Data we process to anyone and for any purposes that are not connected to our services, except in the following cases:

a. To comply with Statutory Requirements

There are cases specified in the legislation where we are obliged to disclose the Data we process to the competent bodies upon their request or in compliance with the legislation. These bodies include state administration bodies and authorities, social security and health insurance bodies, auditing companies etc.

b. Secondary Data Controllers

In some cases where it is necessary to act on a contract or an agreement with Data Subject, we must transfer the Data in the relevant scope to another entity that determines the purpose of and means for the Data processing on its own, in other words, to the secondary Data controller. Where we transfer the Data to another Data Controller, we will do so transparently, and we will appropriately inform you about it in advance. This usually concerns employees’ insurance policies or contracts with ICT operators that include also private numbers as requested by the employees.

c. Data processors

Data processor means any entity whom we provide with the Data to be processed within a controlled process, i.e. to carry out a certain operation necessary to achieve the purpose for which DPD has collected the Data.

These processors include without limitation:

i. Subcontracted Carriers

Entrepreneurs who pick up and deliver the parcels on behalf of the DPD based on a contract.

Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels.

ii. Entities cooperating within DPD Group and partners involved in the transportation

In the case of international services, it is necessary to ensure that the parcels are delivered / transited in / to other countries, and this is done by the organisational units or partners of the DPD Group that are responsible for the services in the relevant country.

Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels.

iii. ICT service providers

To a necessary extent, the Data may also be disclosed to providers of ICT services within a controlled process, including without limitation:

to ensure the efficiency of DPD services, especially the optimization of delivery processes, notification services, transfer of data about the parcels, payment of the COD service charge, etc.

Scope of the data processed: Identification and Contact Details of the Consignors and Consignees of the parcels, Identification Data of the Users of the online applications.

to support internal processes within DPD, such as internal communications, flow of information and processing of information, and to carry out any administrative activities.

Scope of the data processed: Data contained in the Company’s information systems.

to store the Data for the period as is prescribed, and for analytical and statistical purposes or other legal purposes as statutory duties.

Scope of the data processed: Identification Data and Contact Details of the Consignors and Consignees of the parcels or other relevant Data Subjects.

iv. Service Contractors

There are companies that, to a limited extent, take part in some of the DPD’s activities, while doing so they may come across some Data. This usually concerns subcontractors who are responsible for loading and sorting of the parcels.

Scope of the data processed: Data specified on the shipping labels of the parcels.

v. Contractors providing services in favor of our Employees

The data of our employees are provided to certain contractual persons within a controlled process to provide services in favor of our employees, including calculating and payment of salaries and employees’ benefits, to carry out any activities related to the employment relation and compliance with any employment requirements.

Scope of the data processed: Identification Data of the employees.

DPD has concluded Data Processing Contracts with all Data Processors whereunder the Data Processors agreed to comply with all requirements laid down in the Legislation on Data Protection and the requirements for Data security that DPD requires.

d. Other Data recipients

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Such disclosure may only be considered if it is necessary for defending the rights and claims of DPD CZ or Data Subjects. E.g. it may be necessary to proof the value of the consignment to the insurance company or to the entity responsible for damage to the consignment in the context of claiming damages.

Are your Data transferred abroad?

The Data related to provision of DPD services are transferred abroad for the following purposes:

a. Due delivery /transit of parcels sent to another country. In this case, the Data are provided to GeoPost SA, with its registered office at 26 rue Guynemer, 92130, Issy Les Moulineaux, France, its subsidiaries and branch offices (DPD Group) and to partners engaged in the transportation in the transit country and the destination country. In some jurisdictions of some transit/destination countries the Data may not be protected in the same extent as it is in the EU. In such cases, we strictly apply Legislation on Data Protection.

b. Archiving and statistical purposes. In this case, the Data are transferred for processing to DPDgroup International Services GmbH & Co. KG, Wailandtstrasse 1, 63741 Aschaffenburg, Germany, which is responsible for controlling and protecting the data related to the transportation for the period for which DPD is obliged to store the data on the transportation, i.e. maximum 10 years from the date of sending of the parcel.

c. Operation of the DPD website using Google Analytics provided by Google. Google Analytics use Cookies that help analyse our website and its use. Any information generated by Cookies based on your visit to the website is transferred and stored as a rule by Google on servers located in the United States of America.

Rights and requests of Data Subjects

We guarantee transparent approach in case anyone whose Data we process wishes to exercise their rights. We take requests of Data Subjects to exercise their rights seriously, and thus we also pay maximum attention to ascertain that these requests are raised by persons who are really authorised to do so. That means that before we address your request, we must verify the identity of the interested person (this does not apply to general queries regarding processing).

In line with the Legislation on Data Protection, we will respond to the requests of the Data Subject to exercise their right without undue delay, within 30 days from the date of filing the request and from ascertaining that the request was raised by an authorised person at the latest. In some exceptionally difficult cases, this period may be extended, however it will not exceed 3 months.

DPD gives you the following options to exercise your rights:

By Data-Box

Requests sent to the Data-Box are considered as raised by the authorised person if the identity of the interested person is reasonably proven.

Using Contact details and DPD customer applications

Please raise your requests related to provision of information and rectification / partial modifications of the Data of the Senders and Recipients of the parcels in the relevant delivery or in the user settings by means of the DPD customer service (customer hotline, customer service applications, e-mails, or personally at our branch offices), or directly by means of customer applications designed to this aim.

In these cases, DPD reserves the right to verify the identity of the interested person prior to addressing the request where necessary (e.g. by phone). In the case of applications that allow users to handle the Data themselves and who have to log in, the login is considered sufficient for verification of the identity. For this reason, we advise you to follow the security instructions on protection of your login data.

Opting out of receiving marketing communications with every message

This is the most straightforward method of withdrawing your consent to the processing of your e-mail address for the purposes of marketing communications. Once you opt out of the receiving of the marketing communications, DPD will erase your contact details provided for this purpose.

This e-mail address is designed for making any general queries regarding the method of Data processing in DPD (information on Data processing or requests for information), requests for access to the Data, objections against the processing and requests for erasure of Data).

Identification of the authorised person:

If we are requested to provide any information regarding the processing of Data related to a specific person, or where we shall do some operations with the Data based at your request, we reserve the right to check your identity to make sure that your request is legitimate. This actually contributes to protection of your personal Data.

We do so:

By comparing the Contact Data from which the request has been sent or raised with the Data of the Data Subject whose Data are requested. We send the information to these matching Contact addresses,

By checking whether the interested person knows the Data, especially in requests for rectification / modification of data,

By asking the interested person to produce his ID document,

By means of any other reliable proof.

If your identity and thus your authorisation to such request are not proven, we must not make the Data available to you and must not allow you to handle the Data.

What are your rights?

a. Right to information or explanation

In this statement on Personal Data protection, we give you the basic information on the scope of the Data processing and on the key elements of the processing.

We will provide you more information on the relevant Data processing at your request as long as it is indispensable for ensuring fair and transparent processing.

b. Right to access the Data

At your request, we will inform you whether we process your Data and in what scope. If requested, we can provide you with a copy of the Data. The right to obtain a copy of the Data processed may be restrained to prevent any negative interferences with the rights and freedoms of any third persons.

In some cases, e.g. in certain applications you may administer your Data on your own (through a user account).

c. Right to rectification of Data and completion of Data

If we process your Data, you have the right to request their rectification if they are not accurate, or to request completion of any incomplete Data. However, when exercising the right to have the Data completed, we must take into account purposes of the processing so that we are not forced by the request to process data that we do not need for the purpose of the processing. Any Data provided without being requested by DPD, irrespective of who provides them, are excluded from liability of DPD.

d. Right to erasure

If we process your Data, you may, while meeting certain conditions, have the right to request that your Data be erased and not retained any more. We will act on your request if:

We do not need the Data for the purpose for which we have collected them or for any compatible and legitimate purposes any more,

We process your Data exclusively based on your consent,

You have objected to the processing and it was ascertained that in the particular case your interests in privacy protection prevail over the DPD’s interests in Data processing or you have objected to the processing for direct marketing purposes,

There is another lawful basis or decision binding on DPD.

It is necessary to state here that we mostly process Data based on our statutory duties. In such cases it is not possible to request their erasure unless the purpose of their processing ceased to exist.

e. Right to object and right to restriction of processing

You have the right to object to the processing of your Data. These situations include cases where you could not influence that we process your Data, and at the same time, they are not processed based on statutory duties or vital interests. We consider the objections according to the provisions of the Legislation on Data Protection and if we found the objections reasonable, we delete the Data in line with the objection.

At the same time, anyone whose Data we process has the right to ask for restriction of the processing of their Data. We will grant such a request if the criteria for such restriction specified in the Legislation on Data Protection are met, especially if the accuracy of Data, their lawful processing or the purpose of processing for which the Data were collected have been challenged. Restricted processing is automatically carried out when considering requests for erasure of Data or objections until the requests are cleared.

f. Right of the Data Subjects to withdraw their consent to Data processing

If we have asked you for consent to the Data processing for a specific purpose and in the specific scope, you may withdraw your consent at any time by the relevant options we provide to you (e.g. opting out from marketing communications in any newsletter), or generally exercising this right by any means that DPD offers to you for such requests.

Limitation of DPD’s liability

We are liable for ensuring security of the Data we process during the entire time of processing, and for any damage caused by DPD both intentionally and by negligence.

However, there are cases where DPD’s liability is excluded, such as:

Where the damage or injury is caused by you, i.e. by the Data Subjects, or by the original Data Controller who has transferred the Data to us. The cause may include incorrect or unlawful procedure of the Data transfer,

Where we have received the Data that we did not request, or where we did not agree with the Data provider on the transfer of the relevant Data,

Where we cannot be held liable for specific Data processing operation. E.g. our website includes also a number of external links to websites of other entities. If you enter these websites, we cannot take the responsibility for the contents therein and we are not liable for any Data protection policies applied thereto.

Applicability

This Statement on Personal Data Protection is the primary document specifying the processing of the personal data in DPD. This document may be subject to changes and you are recommended to check for any updated version hereof.

DPD contact details for matters related to Personal Data Protection

If you wish to raise any queries or requests in the matter of personal data protection in DPD, please contact us using one of the means specified at our website, or send us an e-mail to: [email protected]